Virtual LANs - uniroma2.it · Virtual LANs. Giuseppe Bianchi Broadcast issues ... One switch per...

16
Tecnologie e Protocolli per Internet 1 Prof. Stefano Salsano e-mail: [email protected] AA2012/13 – Blocco 4 – v1 Giuseppe Bianchi Virtual LANs

Transcript of Virtual LANs - uniroma2.it · Virtual LANs. Giuseppe Bianchi Broadcast issues ... One switch per...

Tecnologie e Protocolli per Internet 1

Prof. Stefano Salsanoe-mail: [email protected]

AA2012/13 – Blocco 4 – v1

Giuseppe Bianchi

Virtual LANs

Giuseppe Bianchi

Broadcast issues

Switches: - did partition collision domains

- bud DID not partition broadcast domain

Giuseppe Bianchi

The “obvious” solution: IP subnets

�Partition network into several subnets

�Critical approach (especially in the past):

�routers were slow

�Need to replace switches with routers

�No more a problem of efficiency, today

�layer 3 switches = hardware-based routers, very fast!

�However…

Giuseppe Bianchi

Cons of physical IP subnets

LAB 1

(telecom)

LAB 2

(nanotech)OFFICES

Floor

2

� One switch per lab!

� Even if all switches in a same floor box, manual connection necessary

� Different LAB rooms = different subnets!

� Broadcast domain cannot extend through routers � more complex management needed

LAB 2

(telecom)Floor

1

Giuseppe Bianchi

Physical Network Design vs

Logical Network Design

� Standard design for physical network

� Well before network partitioning needs emerge from customers of the building!

Canalina metallica forata

Prese RJ45

Cablaggio orizzontale in rame

Armadio di

pianoPrese RJ45

Stanza Stanza Stanza

StanzaStanzaStanza

Armadio di

piano

Tubo in PVC – Cablaggio verticale in Fibra Ottica

Canalina metallica - Cablaggio verticale di backup in rame

Canalina in PVC �

Giuseppe Bianchi

Solution: Virtual LAN (VLAN)

� VLAN = area which limits the broadcast domain

� Benefits� Broadcast confinement – solves scalability issues of large flat networks� Isolation of failures and network impairments� Security (more later)

� Multiple VLANs may coexist over a same Switched LAN

Giuseppe Bianchi

VLAN Membership� Per Port

� THE typical VLAN approach

� The IEEE 802.1Q approach

� Per User�Via MAC address�Via VLAN tag

� Results: anarchic VLAN� but too easy to break into �

� Per Protocol

� New feature in IEEE 802.1v

� Combination (cross-layer)

� Supported as proprietary extensions�Via IP subnet address�….

� Classification hierarchy may be defined�E.g. per IP subnet; � if not IP � per protocol; � if not in the set of classified protocols

� per MAC; � if not in MAC list per port.

Giuseppe Bianchi

Physical vs logical view

(i.e. why VLANS instead of IP network)

� Layer 3 subnets ought to be physically separated

� BUT many VLANs may overlap

� on the same, unique physical network structure!

� Robust, failure-proof, single managed

Giuseppe Bianchi

VLANs and IP subnets /1

� 1 VLAN = 1 IP subnet

� Routers are needed to move frames from different VLANs

� Even if STAs are in the same physical network

� Inter-VLAN connectivity through router: improves security

� May apply packet filtering mechanisms such as ACL, etc

Giuseppe Bianchi

VLANs and IP subnets /2

� Routers for VLAN interconnection may have as little as just one physical interface

� Also called, in jargon, “one-armed routers”

� Multiple IP addresses on the single interface

160.80.80.0/24

160.80.81.0/24

160.80.80.100

160.80.81.100

Giuseppe Bianchi

VLAN tagging

Giuseppe Bianchi

Port types

ACCESS port: transmits and receives untagged frames

i.e. with no VLAN membership indication

TRUNK port: transmits and receives tagged frames

i.e. with explicit VLAN membership indication

HYBRID ports: may handle both tagged and untagged frames

Giuseppe Bianchi

Access links

� A link connected to an access port

� Typically the PC-to-switch link

� or small-hub-to-switch link

� Connected STAs belong to only 1 VLAN

� Connected STAs DO NOT NEED TO KNOW they are on a VLAN

� They just assume to be on a dedicated IP subnet

� TX/RX frames:

� standard Ethernet (no QTAG prefix)

S1

S2

S3

HUB

Access port

Giuseppe Bianchi

Access links (legacy regions)

�May be switched LANs themselves

�Made up by VLAN-unaware switches

S2

S3

VLAN-unaware

switch

Access port

VLAN-aware

switch

VLAN-unaware

switch

S1

Giuseppe Bianchi

Trunk links� A link connected to a trunk port

� Typically switch-to-switch or switch-to-router links

� frequently server-to-switch link

� If PC-to-switch link:�Anarchic VLANs considered

� Support tagged Ethernet frames

� Explicit tagging mechanism to differentiate them

� Does not belong to a VLAN but transport VLAN frames

� Either from all VLANs

� Or just from selected VLANs

� However, may belong to a VLAN

� Case of hybrid link

� Untagged frames assumed to belong to a VLAN

Trunk port

Giuseppe Bianchi

Hybrid links

� Support both tagged and untagged Ethernet frames

� Untagged frames belong to the same VLAN (in the example, VLAN C)

� Modern understanding and implementations: all links are of hybrid type…

Giuseppe Bianchi

Ethernet Frame format for VLAN

(802.3ac, 1998)

QTag type = 0x8100

QTag prefix = 4 bytes

Maximum frame: 1522 (!!)> 1518 = baby giant

Giuseppe Bianchi

User Priority (802.1p)

0 BE Best Effort (default)

1 BK Background

2 --- Unspecified

3 EE Excellent Effort

4 CL Controlled Load

5 VI Video < 100ms latency/jitter

6 VO Voice < 10 ms latecny/jitter

7 NC Network Control

Managed via separated output queues

- typically with priority queueing

- but more complex scheduling mechanisms can be used

Giuseppe Bianchi

May a station belong to

more than 1 VLAN?

Access links Access links

Trunk

link

Yes! (typical case: servers)

Giuseppe Bianchi

Switch operation with VLANs

Giuseppe Bianchi

VLAN and forwarding

Red,Green

GreenBlue,Green

No spanning tree considerations at the moment…

Trunk ports may forwardonly selected VLAN tags

Manual (static) configuration

Automatic (dynamic) configurationvia specially devised protocols(GVRP: GARP VLAN Registration Protocol)

GARP = Generic Attribute Registr. Prot.See clause 10, 802.1D 1998 version

Giuseppe Bianchi

VLAN switch: relay functions

� Ingress function

� Classification of each received frame as belonging to one and only one VLAN�Based on tag�Based on port (e.g.) for untagged frames

� Discard frame based on normal bridging rules PLUS VLAN classification�E.g. unallowed VLAN tag from port

� Ingress function = Access control using switches rather than routers!

� Forward function

� Only on specific enabled ports for given VLAN

� Egress function

� Add tag (or leave previous tag) if trunk link;

� Remove tag if access link

Giuseppe Bianchi

Learning

� Learning process affected by VLAN

� MAC address is no more the only information to consider!

� VLAN Identifier is also necessary

� Shared VLAN Learning (SVL)

� 1 single filtering DB

� if individual MAC Address learned in one VLAN, learned information used in forwarding decisions relative to all other VLANs

� Independent VLAN Learning (IVL)

� 1 filtering DB per each VLAN ID

� if individual MAC Address learned in one VLAN, learned information NOT used in forwarding decisions relative to all other VLANs

� General case (SVL/IVL)

� Many filtering DBs (each with a Filtering ID – FID)

� Each FID may include more than 1 VLAN

Giuseppe Bianchi

Filtering DB

Shared VLAN Learning (SVL)

Dest MAC Address Ports Age vlan----------------- ----- ---00-00-08-11-aa-01 1/1 1 1200-b0-8d-13-1a-f1 1/7 4 43a8-11-06-00-0b-b4 2/3 0 1208-01-00-00-a7-64 2/4 1 100-ff-08-10-44-01 2/6 5 12

Giuseppe Bianchi

Filtering DB

Independent VLAN Learning (IVL)

FID=12 Dest MAC Address Ports Age----------------- ----- ---00-00-08-11-aa-01 1/1 1a8-11-06-00-0b-b4 2/3 000-ff-08-10-44-01 2/6 5

FID=43 Dest MAC Address Ports Age----------------- ----- ---00-b0-8d-13-1a-f1 1/7 4

FID=1 Dest MAC Address Ports Age----------------- ----- ---08-01-00-00-a7-64 2/4 1

Distinct Filtering DBs (each assigned a Filtering ID)

Giuseppe Bianchi

Filtering DB

Independent VLAN Learning (IVL)

� In most cases, no matter wthere IVL or SVL is used

� However, in some particolar cases, IVL or SVL are necessary

� Notation used in what follows:

� Member set�Set of ports through which members of the VLAN can be reached

� Untagged set�Set of ports through which, if frames are to be transmitted, they shall

be transmitted without tag» Untagged set for a port may include multi VLANs (see SVL example

next)

� PVID (Port VLAN ID)�VLAN associated to the port

See 802.1Q-2003, Annex B (pag. 245-252) for detaile d explanationof following examples

Giuseppe Bianchi

Nella larga maggioranza dei casi, utilizzare il meccanismo IVL o quello SVL è equivalente. Vi sono casi particolari in cui questo non è vero e bisogna utilizzare uno dei due meccanismi.

Nel primo esempio (“Why IVL?”) si considera l’utili zzo di dispositivi “ibridi” detti “Connector” (vedi anche http://en.wikipedia.org/wiki/Bridge_Router) che operano in modalità intermedia tra livello 2 e 3 In pratica possono effettuare l’inoltro di una trama da una VLAN all’altra in modalità switched se NON riconoscono il protocollo di livello superiore, oppure lavorare a livello 3 se riconoscono il protocollo di livello superiore (quindi operano come router per IP).

Nel secondo esempio (“Why SVL?”) si mostra come è possibile far lavorare un server “legacy” (cioè che non sia progettato per operare sulle VLAN ma su una LAN tradizionale) in modo da interoperare contemporaneamente con dispositivi su diverse VLAN.

Giuseppe Bianchi

Why IVL? /1

SVL would not work!! (A learned from both port 1 and 4)

(no STP in the example…)

Note: it is (also) a bridge device!

Were it a router, no problems!

Giuseppe Bianchi

Relativamente alla slide precedente, si assuma che A invia una trama con indirizzo MAC di destinazione B, appartenente ad un protocollo di livello superiore NON noto, quindi il connector inoltrerà questa trama dalla porta X alla porta Y (assumendo che aveva già “imparato” l’indirizzo di B)

Il bridge VLAN-aware impara l’indirizzo di A sulla porta 4.

Se qualcuno invia al bridge VLAN-aware una trama destinata ad A, appartenente alla VLAN rossa, il brigde VLAN-aware deve inoltrarla sulla porta 1 e non sulla porta 4 !

Nella slide seguente il problema è lo stesso, solo che il connector opera come un dispositivo “VLAN aware” e quindi ha una sola porta di tipo “trunk” su cui invia e riceve trame VLAN tagged.

Giuseppe Bianchi

Why IVL? /2

SVL would not work!! (A learned from both port 1 and 3)

(STP enabled, VLAN-aware connector)

Giuseppe Bianchi

Why SVL?

�VLAN unaware server to be shared among VLANs

�Must use untagged access link

�Asymmetric VLANs!